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Why this talk? 




Goall 

Raise the profile of Red Teaming operations as a 
means of promoting the uptake of IT security 

Goal 2 

Illustrate the benefits, challenges, and potential 

pit falls from both the client and service 

providers perspective. 



Why this talk? 




"People only accept change when they are faced 
with necessity, and only recognize necessity 
when a crisis is upon them." — Jean Monnet 



What is Red Teaming? 




We emulate a 'crisis' so the client is more willing 
to accept change. 



What is Red Teaming? 




Originally a military concept 



What is Red Teaming? 




A form of penetration testing 
(Strictly speaking) 



A definition 




A simulated attack against a client's network, 

from the Internet, to assess the security posture 

of that network 



What is Red Teaming? 




Focusing on the operational environment rather 
than a specific system 



Why use it? 




Demonstrate harm. Get Senior buy in. Promote 
improvements to security culture. 



What it's not 




Red Teaming is nota substitute for a network 

vulnerability assessment. Especially if the client 

is already quite security conscious. 



Methodology 



1. Recon 

2. Access 
3. Persistence 

Privilege Escalation 

5. Propagation 

6. Exfiltration 

. Noise Escalation 




Methodology - Stages 





Methodology - Recon 




Methodology - Access 




Methodology - Access 




Methodology - Persistence 




Methodology- Privilege Escalation 




Methodology - Propagation 




Methodology - Exfiltration 




Methodology - Noise Escalation 




Methodology - Recon 




Recon is obviously necessary to make sure you 
target the right network! 



Methodology - Recon 




But don't overdo it! 



Methodology - Access 




To: HR.Department@client.com.au 

From: John.Applicant@gmail.com 

Subject: Job application Ref #1234 

Attachments: John Applicant resume.pdf 



Methodology - Access 




To: HR.Department@client.com.au 

From: John.Applicant@gmail.com 

Subject: Job application Ref #1234 

Attachments: John Applicant resume.pdf 

Would you expect your HR department to open 
the attachment? 



Methodology - Access 




There are many ways to gain initial 'access', but 
this isn't a 'how to hack' talk... 



Demonstrating the threat 




"I don't care if my network has been 
compromised, as long as it doesn't affect my 
uptime" 



Demonstrating the threat 




Really? 



Demonstrating the threat 




Find out what they do care about.. 



Demonstrating the threat 




ask them! 



Demonstrating the threat 




Ask your client what it is they care about the 
most. This is what you will attack. 



Demonstrating the threat 




Why not just do a vulnerability assessment? 



Demonstrating the threat 




Why not just do a vulnerability assessment? 



The client needs an impetus to change 



Demonstrating the threat 




Why are organisations still being compromised? 



Exploiting the trust environment 




You need to trust your users. 



Exploiting the trust environment 




You need to trust your users. 

But in a targeted attack, the attacker becomes 
the user... 



Exploiting the trust environment 




and detecting that a user isn't who they say 
they are is hard 



Observations from the field 




What about monitoring systems? 



Observations from the field 




Should I give up on monitoring? 



Observations from the field 




Attacking a host without host based security? 
Too easy. 



Observations from the field 




Attacking a host with DSD's top 5 security 
mitigations? 

Difficult. 



Observations from the field 




Red teaming can also show you what you're 
doing wrong. 



Observations from the field 




If you control the network, you can beat the two 
factor authentication scheme. 



Observations from the field 




If you control the network, you can beat the two 
factor authentication scheme. 



Observations from the field 




Any authentication mechanisms are not secure 

across the network if the host has been 

compromised. 



War gaming 




The big questions... 
• Can we clean up? 
How well can we clean up? 




War gaming 




Using a Red Teaming service as a war game 

scenario allows you to test all these things 

without wasting resources. 



War gaming 




Two scenarios: 

• Client detects the red team mid-op 

Red team finishes or goes to escalation phase, 
client attempts clean-up 



Avoiding Common Pitfalls 



Legal 
• Approval - obviously 
Report criminal activity to police 
Report breaches of policy to client 




Avoiding Common Pitfalls 



Privacy 
• No impersonating 
Custom or trusted software 




Avoiding Common Pitfalls 




You need a sound de-confliction process 
Beware changes in management 



Avoiding Common Pitfalls 




Logging and audit trails are essential 



Avoiding Common Pitfalls 




Avoid the blame game 



Avoiding Common Pitfalls 




Avoid the blame game 



Avoiding Common Pitfalls 




The report should encourage the client to 
embrace a security mindset, 

So speak the client's language 



In Summary 




Demonstrate harm. 

Promote improvements to security culture. 

Test incident response capability. 

Provide the client with real value. 



Thank You 





